Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

az cli 2.40.0; az network application-gateway update errors ' selected SKU tier WAF_v2 must have a valid WAF policy or configuration' when changing WAF tier

See original GitHub issue

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az network application-gateway update

Errors:

(ApplicationGatewayFirewallNotConfiguredForSelectedSku) Application Gateway /subscriptions/Subscription_ID/resourceGroups/MC_xyz-rg_xyz-aks_eastus/providers/Microsoft.Network/applicationGateways/xyz-aks-apgtw with the selected SKU tier WAF_v2 must have a valid WAF policy or configuration
Code: ApplicationGatewayFirewallNotConfiguredForSelectedSku
Message: Application Gateway /subscriptions/Subscription_ID/resourceGroups/MC_xyz-rg_xyz-aks_eastus/providers/Microsoft.Network/applicationGateways/xyz-aks-apgtw **with the selected SKU tier WAF_v2 must have a valid WAF policy or configuration**

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information. By the way, the application-gateway is ‘autogenerated’ with kubernetes, so the resource group naming is MC_xyz-rg_xyz-aks_eastus.

Put any pre-requisite steps here…
az network application-gateway update --name {} --resource-group {} --sku {}

Expected Behavior

Environment Summary

Linux-5.10.16.3-microsoft-standard-WSL2-x86_64-with-glibc2.27, Ubuntu 18.04.6 LTS
Python 3.10.5
Installer: DEB

azure-cli 2.40.0

Extensions:
azure-devops 0.25.0

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional Context

Issue Analytics

State:
Created a year ago
Comments:9 (3 by maintainers)

Top GitHub Comments

1reaction

necusjzcommented, Sep 29, 2022

@manikg321 Thanks for your detailed user scenarios and I’ll jump into them.

Here could be a workaround: https://www.reddit.com/r/AZURE/comments/wvgtlg/waf_policy_application_gateway_and_rest_api/

0reactions

necusjzcommented, Dec 20, 2022

As it’s a breaking change from service side, we can do nothing about that. But here’s a workaround for creating an application gateway with a WAF policy:

1. az network public-ip create -g {rg} -n pubip1 --sku Standard
2. az network application-gateway waf-policy create -n waf1 -g {rg}
3. az network application-gateway create -g {rg} -n ag1 --sku WAF_v2 --public-ip-address pubip1 --priority 1001 --waf-policy waf1

Top Results From Across the Web

az network application-gateway waf-policy policy-setting

Update properties of a web application firewall global configuration. az network application-gateway waf-policy policy-setting list. Edit. List properties of a ...

Work with WAF v2 and Application Gateway WAF policies on ...

In this post, we will look at the WAF v2 tier of the Azure Application Gateway and how we can integrate a custom...

Ensure Azure Application Gateway Web application firewall ...

sku.tier = “WAF” or “WAFv2”. waf_configuration.enabled = true. Example Configuration ...

Azure Application Gateway Web Application Firewall (WAF) v2 ...

With the gaining momentum of SAP Fiori adoption for customers using SAP S/4HANA and SAP Business Suites systems, there often seems to be...

Remove WAF policy on Azure Gateway - Server Fault

WAF policies can be deleted from an application gateway by using the Azure CLI. Stop the application gateway. az network application-gateway ...